FRISK Software International


Summary of W32/Lirva.C@mm
Alias:I-Worm.Avron.c (KAV)
Discovered: 6 Jan 2003
Definition files: 7 Jan 2003
Risk Level: Low
Distribution:Low
Infection Method:Email attachment, Local area network shares, peer to peer network (Kazaa), IRC, and ICQ instant messaging.
Payload: On the 7, 11 and 24 of the month the worm opens www.avril-lavigne.com in a webbrowser and displays a graphical effect on the screen
 
Jump to:
Brief description
Technical description

Brief Description
Lirva.C is written in Visual C++ and packed with the UPX packer. It spreads using email, sending it self as a email attachment, it also replicates through IRC and ICQ, through shared network drives and also through peer to peer networking


Technical Description
The worm looks for processes in memory from the following list and terminates them.

KPF.EXE
KPFW32.EXE
AVPM.EXE
AUTODOWN.EXE
AVKSERV.EXE
AVPUPD.EXE
BLACKD.EXE
CFIND.EXE
CLEANER.EXE
ECENGINE.EXE
F-PROT.EXE
FP-WIN.EXE
IAMSERV.EXE
ICLOADNT.EXE
IFACE.EXE
LOOKOUT.EXE
N32SCAN.EXE
NAVW32.EXE
NORMIST.EXE
PADMIN.EXE
PCCWIN98.EXE
RAV7WIN.EXE
SCAN95.EXE
SMC.EXE
TCA.EXE
VETTRAY.EXE
VSSTAT.EXE
ACKWIN32.EXE
AVCONSOL.EXE
AVPNT.EXE
AVPDOS32.EXE
AVSCHED32.EXE
BLACKICE.EXE
EFINET32.EXE
CLEANER3.EXE
ESAFE.EXE
F-PROT95.EXE
FPROT.EXE
IBMASN.EXE
ICMOON.EXE
IOMON98.EXE
LUALL.EXE
NAVAPW32.EXE
NAVWNT.EXE
NUPGRADE.EXE
PAVCL.EXE
PCFWALLICON.EXE
RESCUE.EXE
SCANPM.EXE
SPHINX.EXE
TDS2-98.EXE
VSSCAN40.EXE
WEBSCANX.EXE
WEBSCAN.EXE
ANTI-TROJAN.EXE
AVE32.EXE
AVP.EXE
AVPM.EXE
AVWIN95.EXE
CFIADMIN.EXE
CLAW95.EXE
DVP95.EXE
ESPWATCH.EXE
F-STOPW.EXE
FRW.EXE
IBMAVSP.EXE
ICSUPP95.EXE
JED.EXE
MOOLIVE.EXE
NAVLU32.EXE
NISUM.EXE
NVC95.EXE
NAVSCHED.EXE
PERSFW.EXE
SAFEWEB.EXE
SCRSCAN.EXE
SWEEP95.EXE
TDS2NT.EXE
VSECOMR.EXE
WFINDV32.EXE
AVPCC.EXE
AVPCC.EXE
APVXDWIN.EXE
AVGCTRL.EXE
AVP32.EXE
AVPTC32.EXE
AVWUPD32.EXE
CFIAUDIT.EXE
CLAW95CT.EXE
DV95_O.EXE
DV95.EXE
F-AGNT95.EXE
FINDVIRU.EXE
IAMAPP.EXE
ICLOAD95.EXE
ICSSUPPNT.EXE
LOCKDOWN2000.EXE
MPFTRAY.EXE
NAVNT.EXE
NMAIN.EXE
OUTPOST.EXE
NAVW.EXE
RAV7.EXE
SCAN32.EXE
SERV95.EXE
TBSCAN.EXE
VET95.EXE
VSHWIN32.EXE
ZONEALARM.EXE
VPMON.EXE
AVP32.EXE

It copies it self in two copies to the temporary directory with a random.name and a “.exe” and “.tft” endings. Then it copies another copy to the windows system directory again with a random name.

The worm also drops a file called avril-ii.inf into the temporary directory and puts the following text in it:

	         
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| 
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8), 
Darkside Project(http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)			
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included

Cheerz, Otto (www.otto-koden.h1.ru)

 

It adds this value "Avril Lavigne – Muse" to the registry key


"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
so that each time you start the computer it runs the virus.

The worm sends email to all the email addresses it finds from the windows address book and it also uses email addresses it collects from files with theses endings:

 
.IDX
.NCH
.SHTML
.TBB
.HTM
.EML
.HTML
.WAB
.MBX
.DBX. 
 

The subject of Lirva.C when it arrives in your mailbox is chosen from the following list:

 
Fw: Prohibited customers
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
 
The body of the infected email is chosen from these paragraphs:

Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft Tech Support

Restricted area response team (RART)
Attachment you sent to %s is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch

Avril fans subscription FanList admits you to
take in Avril Lavigne 2003 Billboard awards ceremony
Vote for I’m with you!
Admission form attached below

The name of the attached file is chosen from the following texts:

Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe


It copies it self to the root directory and the recycled directory of all network shares.

It copies it self to the kazaa download folder with a random name.

If it finds ICQMAPI.DLL the worm sends it self to everybody in your icq contact list.

It drops a file into the mIRC directory so that everytime you log on to irc you will connect to the channel #avrillavigne and when others join any channel you are on it will send it self to them.


Sigurdur A. Stefnisson FRISK Software international
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is